From acea71c326719cb379ee454987a380af79613767 Mon Sep 17 00:00:00 2001
From: Landon Dyck <landon@codemonkeysoftware.net>
Date: Wed, 22 Oct 2025 21:47:09 -0500
Subject: [PATCH] scripts v1

---
 ansible/deploy.sh         | 19 +++++++++++++++++++
 ansible/encrypt_string.sh | 10 ++++++++++
 ansible/lint.sh           | 18 ++++++++++++++++++
 ansible/nebula_cert.sh    | 30 ++++++++++++++++++++++++++++++
 ansible/nebula_new_ca.sh  | 31 +++++++++++++++++++++++++++++++
 ansible/setup.sh          | 20 ++++++++++++++++++++
 ansible/unlock.sh         | 13 +++++++++++++
 ansible/virtualenv.sh     | 10 ++++++++++
 dns/deploy.sh             | 19 +++++++++++++++++++
 dns/setup.sh              |  7 +++++++
 10 files changed, 177 insertions(+)
 create mode 100755 ansible/deploy.sh
 create mode 100755 ansible/encrypt_string.sh
 create mode 100755 ansible/lint.sh
 create mode 100755 ansible/nebula_cert.sh
 create mode 100755 ansible/nebula_new_ca.sh
 create mode 100755 ansible/setup.sh
 create mode 100755 ansible/unlock.sh
 create mode 100755 ansible/virtualenv.sh
 create mode 100755 dns/deploy.sh
 create mode 100755 dns/setup.sh

diff --git a/ansible/deploy.sh b/ansible/deploy.sh
new file mode 100755
index 0000000..0a95d1c
--- /dev/null
+++ b/ansible/deploy.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# Author: Landon Dyck
+# This is a convenience wrapper around ansible-playbook using the python env. Can take any
+# additional ansible-playbook parameters, such as tags. Use unlock.sh first for even more
+# convenience.
+# Usage: $ ./deploy.sh [additional params]
+
+PATH=${PWD}/env/bin:${PATH}
+
+set -ex
+
+if [ -f .env ]; then
+    export $(cat .env | xargs)
+fi
+
+cd ansible/
+
+time ansible-playbook main.yml --diff $@
\ No newline at end of file
diff --git a/ansible/encrypt_string.sh b/ansible/encrypt_string.sh
new file mode 100755
index 0000000..44316aa
--- /dev/null
+++ b/ansible/encrypt_string.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# Author: Landon Dyck
+# This is a convenience wrapper around ansible-vault's encrypt_string function in the
+# python env. Use unlock.sh first for additional convenience.
+# Usage: $ ./encrypt_string.sh
+
+PATH=${PWD}/env/bin:${PATH}
+cd ansible
+ansible-vault encrypt_string
\ No newline at end of file
diff --git a/ansible/lint.sh b/ansible/lint.sh
new file mode 100755
index 0000000..57a51bc
--- /dev/null
+++ b/ansible/lint.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+# Author: Landon Dyck
+# This runs yamllint and ansible-lint on the ansible scripts, then ansible-playbook's syntax
+# checker. 
+# Usage: $ ./lint.sh
+
+set -e
+
+PATH=${PWD}/env/bin:${PATH}
+
+yamllint -sc ansible/yamllint.yml ansible
+
+cd ansible/
+
+ansible-lint -p
+
+ansible-playbook main.yml --syntax-check
\ No newline at end of file
diff --git a/ansible/nebula_cert.sh b/ansible/nebula_cert.sh
new file mode 100755
index 0000000..0cb8897
--- /dev/null
+++ b/ansible/nebula_cert.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Author: Landon Dyck
+# Generates and encrypts a new certificate for a nebula host. Calls unlock.sh so you don't
+# have to enter your password twice, but will honor an unlock.sh called outside the script.
+# Don't forget to add the host and ip address in ansible/group_vars/all/nebula.yml
+# 
+# Usage: $ ./nebula_cert.sh ip_address hostname
+# * ip_address: the ip address of the host. Make sure it's in the correct /24 network
+# * hostname: the hostname of the host. If I need to explain more, you probably should
+#             not use this
+
+. $(dirname "$0")/unlock.sh
+ca_crt=roles/nebula/files/ca.crt
+ca_key=roles/nebula/files/ca.key
+client_key=roles/nebula/files/certs/$2.key
+client_crt=roles/nebula/files/certs/$2.crt
+
+
+cd ansible/
+ansible-vault decrypt roles/nebula/files/ca.*
+nebula-cert sign \
+  -ip "$1/24" \
+  -name $2 \
+  -out-key $client_key \
+  -out-crt $client_crt  \
+  -ca-crt $ca_crt  \
+  -ca-key $ca_key
+read -p "Press [Enter] key to complete encryption"
+ansible-vault encrypt roles/nebula/files/certs/$2.* roles/nebula/files/ca.*
diff --git a/ansible/nebula_new_ca.sh b/ansible/nebula_new_ca.sh
new file mode 100755
index 0000000..eb40025
--- /dev/null
+++ b/ansible/nebula_new_ca.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Author: Landon Dyck
+# Nebula CAs expire, and creating a new one is a hassle. This creates a new CA certificate,
+# then recreates each certificate for the hosts in ansible/group_vars/nebula.yml. Once
+# the new certificates are deployed, the old ones cannot be used. Caution should be taken
+# to avoid breaking the network.
+# 
+# Usage: $ ./nebula_new_ca.sh
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+create_cert="$SCRIPT_DIR/nebula_cert.sh"
+$SCRIPT_DIR/unlock.sh
+
+ca_key=ansible/roles/nebula/files/ca.key
+ca_crt=ansible/roles/nebula/files/ca.crt
+
+nebula-cert ca \
+  -duration 26280h \
+  -name 'Code Monkey Software LLC' \
+  -out-crt $ca_crt \
+  -out-key $ca_key
+
+
+NEBULA_CLIENTS=$(yq '.nebula.clients | keys' ansible/group_vars/all/nebula.yml -o c | tr "," "\n")
+
+for client in $NEBULA_CLIENTS
+do
+  ip=$(yq ".nebula.clients.$client.ip" ansible/group_vars/all/nebula.yml)
+  $create_cert $ip $client
+done
\ No newline at end of file
diff --git a/ansible/setup.sh b/ansible/setup.sh
new file mode 100755
index 0000000..ae1b845
--- /dev/null
+++ b/ansible/setup.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+# Author: Landon Dyck
+# Installs ansible dependencies in a python env
+# 
+# Usage: $ ./setup.sh
+
+set -e
+
+PATH=${PWD}/env/bin:${PATH}
+
+set -x
+
+python -m venv env
+
+pip install -Ur ansible/requirements.txt
+
+cd ansible/ && ansible-galaxy install -r galaxy-requirements.yml
+
+go install github.com/mikefarah/yq/v4@latest
\ No newline at end of file
diff --git a/ansible/unlock.sh b/ansible/unlock.sh
new file mode 100755
index 0000000..3092d11
--- /dev/null
+++ b/ansible/unlock.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Author: Landon Dyck
+# Will prompt for your bitwarden vault password and retain the open session in your environment
+# Idempotent
+
+# Usage: $ . ./unlock.sh
+
+if [[ -z "${BW_SESSION}" ]]; then
+    export BW_SESSION=$(bw unlock --raw)
+fi
+
+bw sync
\ No newline at end of file
diff --git a/ansible/virtualenv.sh b/ansible/virtualenv.sh
new file mode 100755
index 0000000..6424a8f
--- /dev/null
+++ b/ansible/virtualenv.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+
+# Author: Landon Dyck
+# Mounts the virtual environment in your path
+
+# Usage: $ . ./virtualenv.sh
+
+
+PATH=${PWD}/env/bin:${PATH}
\ No newline at end of file
diff --git a/dns/deploy.sh b/dns/deploy.sh
new file mode 100755
index 0000000..77635ad
--- /dev/null
+++ b/dns/deploy.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Author: Landon Dyck
+# Deploys the dns configuration
+# 
+# Usage: $ ./deploy.sh
+
+export $(cat .env | xargs)
+
+cd dns
+
+dnscontrol preview
+
+echo
+read -sp $'\e[34mPress \e[1;32m[Enter]\e[0;34m key to deploy or \e[1;31mCTRL+C\e[0;34m to cancel\e[0m'
+echo
+echo
+
+dnscontrol push
diff --git a/dns/setup.sh b/dns/setup.sh
new file mode 100755
index 0000000..dfbd0ff
--- /dev/null
+++ b/dns/setup.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Author: Landon Dyck
+# Installs dnscontrol
+# 
+# Usage: $ ./setup.sh
+go install -v github.com/StackExchange/dnscontrol/v4@v4.26.0
\ No newline at end of file